堆棧內存溢出
  簡體   English   中英

RHEL 上的 Docker 群模式

[英]Docker swarm mode on RHEL

 原文  2019-10-19 04:41:32       docker/ docker-swarm/ rhel7/ docker-swarm-mode

問題描述

我一直在嘗試運行單個節點 docker 群以在 RHEL 7.6 上進行測試。 firewalld已禁用且未運行。 服務在overlay網絡上運行。 我注意到我無法從主機或外部連接到已發布的端口。 對於我嘗試過的幾個 RHEL 實例,這種行為是一致的。 我確實在 Ubuntu 16.04LTS 和 18.04LTS 上使用 docker 群,沒有任何故障。

下面給出的是我的docker info

Client:
 Debug Mode: false

Server:
 Containers: 14
  Running: 3
  Paused: 0
  Stopped: 11
 Images: 4
 Server Version: 19.03.3
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: fhewk7l15g42o36henpfigwjk
  Is Manager: true
  ClusterID: kegypzam66ehi6s50utrsff1l
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 10.0.1.125
  Manager Addresses:
   10.0.1.125:2377
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
 runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-957.5.1.el7.x86_64
 Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.33GiB
 Name: rhel-test.dev.koopid.io
 ID: IM3X:THRY:FYUO:L7XI:VJW6:5B4Y:VZOX:YL43:E7WR:U5GM:3BQK:NLKP
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

還有我的overlaynet

[
    {
        "Name": "overlaynet",
        "Id": "4g4dphekzyshqpcp0fjfmc877",
        "Created": "2019-10-18T14:29:06.284905975Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.20.0.0/24",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "142c22a7e517f463f37c89cfb58dcde37f9529c9b469357b37868057be044e48": {
                "Name": "dbsvcs_redis.1.0lsxkr88eq89igid7w7ifk3wq",
                "EndpointID": "167fbdfb2146f09bb20c258fea52d9f8ca886cf1d264b1d8cd9169532c26b9db",
                "MacAddress": "02:42:ac:14:00:03",
                "IPv4Address": "172.20.0.3/24",
                "IPv6Address": ""
            },
            "2e70a7589f13c74be66149d5bbf9504b5b74aee1ad6711f82ec4b02011c00cc1": {
                "Name": "dbpg_postgresql-rw.1.9keeuowk9zk5e6f8bq5a0itij",
                "EndpointID": "44a2376b4d0d2bdb8787c9cc18726da140ca0f9a8e97e54a6a78b2206e10a13b",
                "MacAddress": "02:42:ac:14:00:06",
                "IPv4Address": "172.20.0.6/24",
                "IPv6Address": ""
            },
            "d9119bb3d605aa9b2df23985cd884afa941499d888937e3c34f4ec08dac14c73": {
                "Name": "dbsvcs_influxdb.1.ap5cg0se1rntdbsopxbm7whma",
                "EndpointID": "d2a5c093a0721291a114309ef1fd690510b03007fdaf83c8d77e00870a1568cd",
                "MacAddress": "02:42:ac:14:00:04",
                "IPv4Address": "172.20.0.4/24",
                "IPv6Address": ""
            },
            "lb-overlaynet": {
                "Name": "overlaynet-endpoint",
                "EndpointID": "2bdf0d2370856d9a4b2da1e86d65521585ffc89c778f5db1d3f4b2fd39da7c8b",
                "MacAddress": "02:42:ac:14:00:08",
                "IPv4Address": "172.20.0.8/24",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4097"
        },
        "Labels": {},
        "Peers": [
            {
                "Name": "80ab8f4e3bcd",
                "IP": "10.0.1.125"
            }
        ]
    }
]

我有以下服務,正如你所注意到的,它們都發布了一個或兩個端口。

4j7p43udxkoc        dbpg_postgresql-rw   replicated          1/1                 myregistry/postgres   *:5432->5432/tcp
hu0wkspwc7j3        dbsvcs_influxdb      replicated          1/1                 myregistry/influxdb   *:8086->8086/tcp
dlte2nzg226x        dbsvcs_redis         replicated          1/1                 myregistry/redis      *:6379->6379/tcp

你可以看到主機上的 INADDR_ANY 端口 5432 是開放的

tcp6       1      0 :::5432                 :::*                    LISTEN

但是,我無法從外部主機連接到端口 5432。 psql客戶端超時,好像某些防火牆阻止了連接。

如果啟用firewalld ,我會看到以下錯誤

firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker_gwbridge -o docker_gwbridge -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
firewalld[2809]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.

這是我應該擔心的事情嗎? 我是否需要在 RHEL 上擺弄iptables才能讓 docker 群工作。 有一些報告將 docker 控制端口添加到iptables以進行多節點集群配置。 我的iptable配置是這樣的......

$ iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 82507 packets, 8110K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       30  5664 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       30  5664 DOCKER-INGRESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       30  5664 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
5        0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
7        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
8       14  4064 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
9        0     0 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0
10      16  1600 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0
11       0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 82105 packets, 8106K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-INGRESS (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5432
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:5432
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6379
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:6379
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8086
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:8086
7       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       16  1600 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0
3       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2        0     0 DROP       all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0
3       16  1600 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       30  5664 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

感謝一些幫助/指導,以使其在 RHEL 上運行,因為我在過去幾周一直堅持這一點。 在 Ubuntu 上配置和運行docker swarm是輕而易舉的事!!!

1 個解決方案

解決方案1
 0  2019-10-24 11:01:03

這是我最終如何讓它工作的。 我對所有步驟都沒有理由。 我還注意到我無法連接到localhost服務發布的端口,並且firewalld規則有時會變得混亂,需要重新啟動。 我仍在調查這些問題。 我按照Bertrand_Szoghy 的回答首先安裝了docker-ce和相關軟件包。

  1. 需要在服務器上安裝firewalldipchain 建議在 RHEL 7 或更高版本上使用firewalld
  2. 使用 firewalld 打開docker swarm端口。 按照這里的教程 此外,請確保打開您的服務所需的端口。 重新加載防火牆規則( firewall-cmd --reload
  3. 初始化群( docker swarm init
  4. 創建覆蓋網絡( docker network create --subnet 172.20.1.0/24 --driver overlay --attachable overlaynet
  5. 將其他節點加入集群管理器。

我注意到在初始化docker swarm之前防火牆配置很重要。 在初始化docker swarm后更新 firewalld 配置時,我無法從 localhost 或使用主機 IP 連接到已發布的端口。 我不確定為什么這個順序很重要。

目前,我可以通過集群管理器本身或主機外部的集群swarm manager IP 地址連接到已發布的服務端口。 我仍在研究要添加哪些防火牆規則以通過localhost進行連接。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Docker for Azure-沒有群模式嗎? Swarm 模式下的 docker stats? Docker Docker 桌面上的群模式 Docker Swarm與Swarm模式之間的區別? docker Swarm 和 Swarm 模式有什么區別? docker 中的特權模式組合成一個群 以Docker Swarm模式鏈接應用 Docker群模式API認證 Docker Swarm 全局模式問題 如何禁用 docker swarm 模式?
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM